System and Method for Providing Multtenant Access to Shared Resources

1. A method comprising, on a multitenant shared-resources system: maintaining a domain information cache, the domain information cache comprising domain information for a plurality of managed domains, wherein the plurality of managed domains are organized into a plurality of independent management hierarchies, wherein the plurality of independent management hierarchies each subsume therein one or more domains of the plurality of managed domains; wherein each domain of the plurality of managed domains comprises a collection of network objects that share a same directory-services database; wherein each management hierarchy of the plurality of independent management hierarchies defines an independent security boundary such that network objects of the one or more domains subsumed therein are not made accessible to network objects of any other management hierarchy of the plurality of independent management hierarchies; receiving credentials from a client system, the credentials corresponding to a user of the client system; storing the credentials in a security cookie; extracting a domain-relevant portion from the credentials; based, at least in part, on a search of the domain information cache, identifying a directory level of a particular management hierarchy of the plurality of independent management hierarchies that defines a security boundary for the user; ascertaining a catalog server for the identified directory level; retrieving user-identification information from the catalog server; parsing the user-identification information to yield a domain of the user; authenticating, using the credentials, an identity of the user with an authentication server associated with the domain of the user; responsive to successful authentication: compiling a list of authorized resources to which the user has access; and providing the list of authorized resources to the client system.

2. The method of claim 1 , comprising: receiving a request from the client system to access a target resource selected from the list of authorized resources; resolving the target resource to a network location; sending a message to the target resource, the message comprising an instruction to add the user to a resource group for the target resource; and providing a ticket to the client system, the ticket comprising an identifier of the security cookie.

3. The method of claim 2 comprising, upon user logout, removing the user from the resource group.

4. The method of claim 1 , wherein: the user-identification information comprises a distinguished name of the user; and the parsing comprises parsing the distinguished name.

5. The method of claim 1 , comprising retrieving the authentication server from a domain name system (DNS) server associated with the domain of the user.

6. The method of claim 1 , wherein: the directory level comprises an Active Directory forest; the plurality of managed domains belong to multiple Active Directory forests; and the identifying of the directory level comprises searching user principal name (UPN) suffixes of each forest in the domain information cache for a match with the domain-relevant portion.

7. The method of claim 1 , wherein the list of authorized resources comprises a list of virtual desktops.

8. The method of claim 1 , wherein the authentication server comprises an active directory server.

9. An information handling system comprising: a hardware computer processor, wherein the hardware computer processor is operable to implement a method, the method comprising: maintaining a domain information cache, the domain information cache comprising domain information for a plurality of managed domains, wherein the plurality of managed domains are organized into a plurality of independent management hierarchies, wherein the plurality of independent management hierarchies each subsume therein one or more domains of the plurality of managed domains; wherein each domain of the plurality of managed domains comprises a collection of network objects that share a same directory-services database; wherein each management hierarchy of the plurality of independent management hierarchies defines an independent security boundary such that network objects of the one or more domains subsumed therein are not made accessible to network objects of any other management hierarchy of the plurality of independent management hierarchies; receiving credentials from a client system, the credentials corresponding to a user of the client system; storing the credentials in a security cookie; extracting a domain-relevant portion from the credentials; based, at least in part, on a search of the domain information cache, identifying a directory level of a particular management hierarchy of the plurality of independent management hierarchies that defines a security boundary for the user; ascertaining a catalog server for the identified directory level; retrieving user-identification information from the catalog server; parsing the user-identification information to yield a domain of the user; authenticating, using the credentials, an identity of the user with an authentication server associated with the domain of the user; responsive to successful authentication: compiling a list of authorized resources to which the user has access; and providing the list of authorized resources to the client system.

10. The information handling system of claim 9 , the method comprising: receiving a request from the client system to access a target resource selected from the list of authorized resources; resolving the target resource to a network location; sending a message to the target resource, the message comprising an instruction to add the user to a resource group for the target resource; and providing a ticket to the client system, the ticket comprising an identifier of the security cookie.

11. The information handling system of claim 10 , the method comprising, upon user logout, removing the user from the resource group.

12. The information handling system of claim 9 , wherein: the user-identification information comprises a distinguished name of the user; and the parsing comprises parsing the distinguished name.

13. The information handling system of claim 9 , comprising retrieving the authentication server from a domain name system (DNS) server associated with the domain of the user.

14. The information handling system of claim 9 , wherein: the directory level comprises an Active Directory forest; the plurality of managed domains belong to multiple Active Directory forests; and the identifying of the directory level comprises searching user principal name (UPN) suffixes of each forest in the domain information cache for a match with the domain-relevant portion.

15. The information handling system of claim 9 , wherein the list of authorized resources comprises a list of virtual desktops.

16. A computer-program product comprising a non-transitory computer-usable medium having computer-readable program code embodied therein, the computer-readable program code adapted to be executed to implement a method comprising: maintaining a domain information cache, the domain information cache comprising domain information for a plurality of managed domains, wherein the plurality of managed domains are organized into a plurality of independent management hierarchies, wherein the plurality of independent management hierarchies each subsume therein one or more domains of the plurality of managed domains; wherein each domain of the plurality of managed domains comprises a collection of network objects that share a same directory-services database; wherein each management hierarchy of the plurality of independent management hierarchies defines an independent security boundary such that network objects of the one or more domains subsumed therein are not made accessible to network objects of any other management hierarchy of the plurality of independent management hierarchies; receiving credentials from a client system, the credentials corresponding to a user of the client system; storing the credentials in a security cookie; extracting a domain-relevant portion from the credentials; based, at least in part, on a search of the domain information cache, identifying a directory level of a particular management hierarchy of the plurality of independent management hierarchies that defines a security boundary for the user; ascertaining a catalog server for the identified directory level; retrieving user-identification information from the catalog server; parsing the user-identification information to yield a domain of the user; authenticating, using the credentials, an identity of the user with an authentication server associated with the domain of the user; responsive to successful authentication: compiling a list of authorized resources to which the user has access; and providing the list of authorized resources to the client system.